Now THAT’S password security!

Email Password - 3D

This pilot fish’s job at a large government agency includes an important but occasional task: logging into a system at another large government agency every few months.

And that shouldn’t be aggravating, but it is. “For a long time, I was getting frustrated because it seemed like I could never remember my password,” says fish. “It seemed like no matter how may times I wrote it down, it wouldn’t work the next time I tried to log in.

“I would try to log in, I would be told my password was invalid, and so I’d create a new one. Once I submitted the updated password, I was logged in and could go about my business. Then, three months later, I’d have to repeat the process.”

Eventually, fish can no longer restrain his engineering urge, and he decides to do some testing to identify the actual problem.

First he attempts a login, and as usual it fails. He goes to the password-reset page, but instead of typing his new password into the input box, he types it into a text file, then copies and pastes it. That way, he knows he’ll be inputting exactly the same password every time.

Then he immediately logs out and tries to log back in by pasting in the password. And as before, the new password fails.

Fish tries several more times, and it keeps failing — even though it’s the same pasted password every time.

Clearly, it’s help desk time. Fish makes the call, and after several rounds of debugging and testing, there’s finally a clear answer: The passwords that fish is creating when his account is reset are all too long.

“But instead of failing, the reset system simply chopped off the extra characters and saved the result,” fish says. “So my password of ‘ABC=12345’ became ‘ABC=12’. But on the password-setting page, there was no mention of a maximum length, and no error message for a too-long password.

“And a year later, now that they’re aware of the problem, there’s still no error message, and no warning of a maximum password length. I guess it’s more efficient to have users create a new password every time they log in than it is to tell them what a valid password is.”